Open naedx opened 2 years ago
Hello @naedx, thank you for reaching out. Currently, AppSync resolvers are expected to merge the values. I believe this would make a great feature request. I would also encourage contributing this to the repository by creating a PR as the team would be able to review the request.
Hi @ykethan , thank you for looking into this! I understand that the resolvers should and do "merge the values" like you said but I still think this is a bug rather than a feature request.
#set( $mergedValues = $util.defaultIfNull($ctx.stash.defaultValues, {}) )
What I think is the problem is how the merging is done . In the line above $mergedValues
is assigned a new, empty map if $ctx.stash.defaultValues
is null. $mergedValues
can then be manipulated (eg $mergedValues.put("key", "value")
) without downstream side-effects.
Otherwise, $mergedValues
is assigned the address of $ctx.stash.defaultValues
through pass-by-value when $ctx.stash.defaultValues
is not null. The subsequent modifications on $mergedValues
will therefore have the side-effect of changing the original object (for every subsequent resolver). I don't think this is intended because:
$ctx.stash.defaultValues
contains default, clean values that are set by the developer when in fact it contains untrustworty user data. The approach that I proposed in "Additional information" (above) would resolve the issue, merging the values into the $mergedValues
variable - just without causing the side-effect on the stash variable.
Regarding contributing a PR for this scenario: I was in the process of creating PR some weeks ago that implements what I proposed but the change resulted in several tests failing in (the wider project) since they check against snapshots that contain the original code. I'll probably need some help with this.
Before opening, please confirm:
How did you install the Amplify CLI?
npm
If applicable, what version of Node.js are you using?
No response
Amplify CLI Version
8.5.1
What operating system are you using?
Windows
Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.
No manual changes made
Amplify Categories
api
Amplify Commands
push
Describe the bug
The
$ctx.stash.defaultValues
is updated during the execution of a pipeline with values from the input merged in. This occurs after the$mergedValues
variable is created and set in the way described below (see Additional Details). This side-effect persists to downstream resolvers.The problem is that any resolver that later expects a clean set of values in
$ctx.stash.defaultValues
will unknowingly be using user-generated data.Expected behavior
ctx.stash.defaultValues
should never be updated with user data.Reproduction steps
Observe that
$ctx.stash.defaultValues
is overwritten with merged data (input + defaults) after the RequestMapping template for"functionName": "MutationCreateBlogDataResolverFn"
is executed (see Log output below).GraphQL schema(s)
Log output
Additional information
I believe this problem stems from:
https://github.com/aws-amplify/amplify-category-api/blob/2c2718284b557dcebb1c8de9f6021722be9ac60b/packages/amplify-graphql-model-transformer/src/resolvers/mutation.ts#L39-L42
which generates:
The problem would be avoided if the following were to be generated instead: